Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 23 Oct 2000 15:25:02 -0700
From:      "Crist J . Clark" <cjclark@reflexnet.net>
To:        Kirk Brogdon <kirk@alaptech.com>
Cc:        freebsd-questions@FreeBSD.ORG
Subject:   Re: natd / tcpdump diag question
Message-ID:  <20001023152502.M75251@149.211.6.64.reflexcom.com>
In-Reply-To: <20001023131959.A212@bsd1.alaptech.com>; from kirk@alaptech.com on Mon, Oct 23, 2000 at 01:19:59PM -0800
References:  <20001023131959.A212@bsd1.alaptech.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, Oct 23, 2000 at 01:19:59PM -0800, Kirk Brogdon wrote:
> This is a repost from a week or so ago with some updated info. . . .
> 
> 4.1.1 Stable
> cable modem on fxp0
> lan on rl0 (3 Win98 boxes)
> 
> I started getting flooded with the "natd[]: failed to write packet
> back, (host is down) messages.  I found some archives where Crist Clark
> said to run tcpdump on the interface and look for arps that weren't
> getting an answer.  I tried that first on the outside net I/F (fxp0 
> in my case) since that is how I have the natd interface configured
> in rc.conf (natd_interface="fxp0").  This gave me what appeared to 
> be every arp request for the cable network.  I then tried the 
> tcpdump on my lan I/F (rl0) and got the following:
> 
> 11:31:47.774308 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6
> 11:32:05.846045 arp who-has bsd1.alaptech.com tell alap2.alaptech.com
> 11:32:05.846078 arp reply bsd1.alaptech.com is-at 0:e0:29:70:43:5d
> 11:32:17.774797 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6
> 11:32:47.774879 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6
> 11:33:17.775523 arp who-has 132.17.0.60 (3:0:0:0:a1:26) tell 132.17.0.6
> 
> I have no idea who 132.17.0.60 is nor why I would see the requests
> on my lan I/F.  I did a traceroute on that IP and got as far as
> 132.17.120.11 (about 18 hops).  If I try and ping 132.17.0.60, it
> is refused (I assume it is behind a firewall).
> 
> I did disconnect the lan from the FBSD box and the messages stopped.
> I was able to track it down to one Win98 machine (by trial and error)
> but I still don't get it.  The mac is not the same as what is in 
> that box (according to Win98 anyway) nor is the IP.  The Win98 box
> seems to be working fine.  Why would it be generating these arp
> requests over and over?  Is the card bad?  Is someone doing bad
> things to me?

This is really neat. From what I can find, 03:00:00 is not assigned to
any vendor for use in MAC addresses. It looks like that machine is
crafting the whole frame. As for that address,

  $ whois -a 132.17.0.6
  Lindsey Air Station (NET-LINDSEY)
     GERMANY

     Netname: LINDSEY
     Netnumber: 132.17.0.0

     Coordinator:
        Boyles, Steve  (SB152-ARIN)  wingtcf@RAMSTEIN2-EMH.AF.MIL
        (DSN) 314-339-3230

     Record last updated on 12-Jul-1996.
     Database last updated on 23-Oct-2000 06:19:18 EDT.

  The ARIN Registration Services Host contains ONLY Internet
  Network Information: Networks, ASN's, and related POC's.
  Please use the whois server at rs.internic.net for DOMAIN related
  Information and whois.nic.mil for NIPRNET Information.

Looks like a US Air Force base in Germany. I'd keep an eye out for
black helicopters.

You might consider firing up an IDS on your LAN there and seeing what
is going on.
-- 
Crist J. Clark                           cjclark@alum.mit.edu


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001023152502.M75251>